MS365 Backup

Phillip, 

Service accounts do not have the ability to be designated towards specific users at this time. Our teams write the code around the idea that the service accounts have “god” access as far as the backups/restores go, to allow for multiple facets of data management. 

The mailbox agent also has the ability to leverage these accounts in tandem in order to get around throughput/throttling issues on the o365 end, so we wouldn’t have any way of rotating them during one job, if they were dedicated towards specific users. Modern authentication is built around the same concepts, there wouldn’t be any difference there. 

The only logistical way I could see this happening would be to architect it from the o365 side, where certain users are in certain tenants, and you would have separate service accounts for specific tenants. 

Hope this helps, 

Hello, 

many thanks for your reply, it is not complete clear for me, that means the god modus admin (global Admin) create the service accounts and after it i can disable this user ? Question is related on security thinking, so in a hack of this user it is only able to login to exchange for example and not to teams, sharepoint and onedrive ? Or does i think here wrong may be ? 

Cheers 

Phillipp, 

To clarify, there are two accounts in the equation when setting up Exchange backups via command center in an Azure AD setup. (Hybrid and on-premise are a little different) 

1. The global admin account that is used only when creating the Azure apps, in order to create the applications needed for the backup. As the global account is “god” over the entire tenant, we can issue commands to assign all required permissions to the apps, to cover mailboxes. Add an App for Exchange Online Using the Express Configuration Option (commvault.com) This was done to avoid the need for tedious creation of applications manually, where they were generally created incorrectly. In theory, if you are not actively in the process of adding Azure apps, we have no reason to have this account in the equation. This account is also NOT cached anywhere in CV. 
2. The other account needed is the Exchange online service account, which needs to actually have a mailbox: Providing Service Accounts Access to Mailboxes Exchange Online (commvault.com) This account is “god” over Exchange, as compared to the entire tenant. THIS account will be used actively. This account wouldn’t have the ability to get into Sharepoint or Onedrive unless you gave it that level of access for some reason. 

3. Neither of these are able to be setup in a way where they can select specific mailboxes based on security. The Azure apps are rotated dynamically thorough all jobs, so there’s no way to implement some to some mailboxes, and some to others. We do this to avoid MSFT throttling. The Exchange online admin is the same concept. 

-Daniel

thanks it is now a little bit more clear 

but i can also use the god admin or i am wrong ? so the global admin 

ok got it - and on this command i have to change the username1 and username2 to an correct name correct ? and i should take the complete name for exampe service.exchange.1@onmicrosoft.com right ? 

New-RoleGroup -Name "ExchangeOnlineBackupRoleGroup" -Roles "ApplicationImpersonation", "View-Only Recipients" -Members serviceaccount1,serviceaccount2
 

Yes.

thanks, sorry to ask this questions but it is a complete new topic as you may know and understand 

This is exactly what this community is for, keep asking 

how you guys can answer and take over the original message in the conversation ? I am looking for it but i dont find it 

For the original question, are you looking for a way to create service accounts for a particular group of users rather than the entire organization?

Is that what you are looking for?

If not can you please explain that question again?